1. Home
  2. Portal
  3. RE: Failed to bind with LDAP server error

RE: Failed to bind with LDAP server error

27876, modified 19 Years ago.
OPENLDAP
Junior Member Posts: 39 Join Date: 12/13/06 Recent Posts
Hallo everyone,

I downloaded Liferay 4.2.0 source code from SVN repository and I deployed it to Tomcat 5.5.

We want to integrate Liferay with our OPENLDAP. I read documentation about it but I don't know if we can do it. Liferay comes ready to use Apache directory, Microsoft directory and Novell edirectory.

Do you have an idea about how can I configure it?

Thanks in advance
thumbnail
11291, modified 19 Years ago.
RE: OPENLDAP
Expert Posts: 451 Join Date: 6/21/06 Recent Posts
Did you check out the LDAP Integration lifecast located in the LifeCast Video Tutorials?
http://www.liferay.com/web/guest/devzone/lifecast

In portal.properties, there are LDAP config params in there headings:

##
## LDAP Import
##

&&

##
## Authentication Pipeline
##


You can also check out these classes:
LDAPImportUtil
LDAPAuth

If you're getting errors, post them so I can take a look.
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
Hi, I am using OPENLDAP too, with some changes in the configuration I could make it work with Liferay 4.2.0 – tomcat bundle.
The problem with OPENLDAP is that is returning the password in the form:
{md5}…encrypted password......
and liferay compares this with:
{MD5}…encrypted password......
(you can see this in the catalina.log file)

so, the basic idea was to change the encryption algorithm to "md5" (lowercase), and guess what … it works!!!
Try this:

look for this file /tomcat/common/classes/portal-ext.properties
and chance this:
auth.impl.ldap.password.encryption.algorithm.types=md5

now restart tomcat.
Login with test@liferay.com and change in the Admin portlet the Authentication to enable LDAP, change all the appropriate values for your ldap server and you can see that in the Encryption Algorithm Types, the list of values has only one choice: md5 . Select this and then try to authenticate with a valid user from ldap server, as you will see, Liferay creates this account since do not exist en the database yet.

Hope it works for you.
thumbnail
11291, modified 19 Years ago.
RE: OPENLDAP
Expert Posts: 451 Join Date: 6/21/06 Recent Posts
Thanks Stuardo. We're constantly looking at improving our LDAP support. Thank you for your solution.
28971, modified 19 Years ago.
RE: OPENLDAP
Junior Member Posts: 27 Join Date: 1/22/07 Recent Posts
Hi,

I'm have the same LDAP problem as you were having but the file

portal-ext.properties

is not under

/tomcat/common/classes/portal-ext.properties

On my system it is under..

/tomcat/webapps/ROOT/WEB-INF/classes/portal-ext.properties

and doesn't have the line


auth.impl.ldap.password.encryption.algorithm.types=md5

in it?

Can I just add this line?

Thanks for any help

Pat.
thumbnail
28111, modified 19 Years ago.
RE: OPENLDAP
Junior Member Posts: 59 Join Date: 12/19/06 Recent Posts
I got the same problem with the SHA algorithm.

Vlad
28971, modified 19 Years ago.
RE: OPENLDAP
Junior Member Posts: 27 Join Date: 1/22/07 Recent Posts
I tried putting the line

auth.impl.ldap.password.encryption.algorithm.types=md5

in the portal-ext.properties file.

Liferay does pick it up but I still can't log onto LDAP

In the catalina.out file I get one of the following errors depending on which I choose
in liferay.

LDAP password ******** does not match with given password "password plain text" for user id
LDAP password ******** does not match with given password {MD5}D6X8wmLZ6K2+zUPKEXMlsw== for user id
LDAP password ******** does not match with given password {md5}D6X8wmLZ6K2+zUPKEXMlsw== for user id
LDAP password ******** does not match with given password {SHA}3UFCJrMi9a6pI1cCO6eIsG2vpaI= for user id

So apparently my LDAP (which by the way is on OS X, which is OpenLDAP) uses some other scheme to
encrypt the password. Would having Kerberos turned on cause this? Does it used something else?

Pat.
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
Make sure your password is encrypted with md5. I use a tool named XPlorer to view, create and modify ldap entries, in this tool you can choose md5 to store the userPassword attribute.
I am not familiar with Kerberos so i can't help you with that. Just remenber that Liferay compares the userPassword attribute with the password given by the user, it is a string comparation and does not connect to the ldap server with end user credentials to verify the password.
28971, modified 19 Years ago.
RE: OPENLDAP
Junior Member Posts: 27 Join Date: 1/22/07 Recent Posts
I have Xplorer but where do you choose md5 for the userPassword attribute?

Thanks

Pat
27961, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 16 Join Date: 12/15/06 Recent Posts
I have tried using JXplorer and setting the password in md5 as well as sha. Still there is a error.
See message posted in,

http://www.liferay.com/web/guest/community/forums/message_boards/message/103156
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
Siddharth Karandikar:
I have tried using JXplorer and setting the password in md5 as well as sha. Still there is a error.
See message posted in,

http://www.liferay.com/web/guest/community/forums/message_boards/message/103156


The problem described on that message board (27919) can be resolved if you change this:
auth.impl.ldap.password.encryption.algorithm.types=md5
you can see that "md5" is in lower case.
See more detailed instructions in previous messages above.
27961, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 16 Join Date: 12/15/06 Recent Posts
Thanks, It seems that liferay is doing the password check with 'md5'.

Now there is one more (more serious) issue.

I have a user named 'sss' in liferay. I have entry for 'sss' in apache-ds as well.
sss has 'ssss' as its liferay password and 'abcd' as ldap password.

After making the suggested 'md5' changes, (putting auth.impl.ldap.password.encryption.algorithm.types=md5 in portal-ext.properties), I get
error (see below) when I type wrong ldap password on login screen and no error in case of right ldap password.


2007-02-21 04:48:16,519 1229809 [http-8080-Processor25] ERROR com.liferay.portal.security.auth.LDAPAuth - LDAP password {md5}4vxxTEcn7pOV8yTNLn8zHw== does not match with given password {md5}o9y00ineb94NtWht7kcUXQ== for user id


Strange thing is ... In both the cases (right and wrong password), user logs in successfully !!

Note: I have following in portal-ext.properties as well.
auth.pipeline.enable.liferay.check=false

Any help on this will be appreciated emoticon
26436, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 10 Join Date: 9/13/06 Recent Posts
To avoid the encryption schema problems the best solution is not to compare passwords. Instead you must bind with the server with the user password. The bind mechanism don't depend in the encryption function choosen for the password.

It's a entry in the JIRA to change it in the new 4.2.2 and a workaround mangling the code can be found at
this thread
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
Pere Cortada Bonjoch:
To avoid the encryption schema problems the best solution is not to compare passwords. Instead you must bind with the server with the user password. The bind mechanism don't depend in the encryption function choosen for the password.


I agree with you, bind is the correct way to check user-password. This work around can help you if you don't want to change source code. I hope that version 4.2.2 is released soon
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
Siddharth Karandikar:

auth.pipeline.enable.liferay.check=false


I think you should change auth.pipeline.enable.liferay.check to true, see the comments for this parameter in portal.properties:

    #
    # Set this to true to ensable password checking by the internal portal
    # authentication. If set to false, you're essentially delegating password
    # checking is delegated to the authenticators configured in
    # "auth.pipeline.pre" and "auth.pipeline.post" settings.
    #
    auth.pipeline.enable.liferay.check=true


Just remember to put this parameter in the portal-ext.properties file.

Also:
I think you should put ldap authentication to enable and required in the Enterprise Admin portlet. Maybe you checked the "Enabled" option for LDAP authentication, but "Required" is not checked.

good luck.
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
When you are editing or inserting a new user, you can enter the userPassword attribute doing a double click on this attribute name, when a dialog window apears you can enter the password and confirmation, in the bottom of that window you can choose Plain Text or MD5 or SHA. After choose md5 hit OK.
thumbnail
29231, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 22 Join Date: 1/29/07 Recent Posts
Hi Stuardo,

I am trying to get openLDAP working with Liferay but I can't. What type of changes in the configuration have you made to get it working? My aim is to use the same LDAP (openLDAP) for Zimbra and Liferay.

Thanks in advance,

Felipe
28886, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
You should add this line:
auth.impl.ldap.password.encryption.algorithm.types=md5

in this file: /tomcat/webapps/ROOT/WEB-INF/classes/portal-ext.properties
if you are using tomcat. If you are not using tomcat, look for portal-ext.properties in the correct location for your application server/servlet engine.

After that, create test@liferay.com user account in OpenLdap, then start tomcat and logon with test@liferay.com , enable and change the ldap preferences in the Admin portlet and test the configuration.

Look for more details in this message thread.
thumbnail
29231, modified 19 Years ago.
Failed to bind with LDAP server error
New Member Posts: 22 Join Date: 1/29/07 Recent Posts
Thaks Stuardo for your fast replied!

I have done what you told about md5 in portal-ext.properties but I have a problem with the connection with the LDAP server and Liferay. Watching the properties of my openLDAP I have the following parameter but I dont know where to put and how in the admin portlet of liferay:

zimbra_ldap_userdn= uid=zimbra,cn=admins,cn=zimbra

I am a newbie in LDAP and I would appreciate any help with this!

Thanks
28886, modified 19 Years ago.
RE: Failed to bind with LDAP server error
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
pipe melero:

zimbra_ldap_userdn= uid=zimbra,cn=admins,cn=zimbra

hi, sorry for the late response,
i don't have experience with zimbra, but it looks to me that the information you are entering is the user that the system uses to connect to the LDAP server. In Liferay that information should be put in the Principal field in the Admin Portlet on the User - Athentication - LDAP tab.

You can see a tutorial for LDAP integration in this page: Liferay documentation
thumbnail
29231, modified 19 Years ago.
problems with encryption in openLDAP
New Member Posts: 22 Join Date: 1/29/07 Recent Posts
Hi,

In my Liferay Admin Portlet I can see that I can reach the ldap server with the configuration:
- ldap://localhost:389
- uid=zimbra,cn=admins,cn=zimbra
- credentials=*********

but watching the log I have seen this error message:
ERROR [LDAPAuth:52] LDAP password {SSHA} jlsjj4l5n44564khrwewr+ does not match with given password {md5} 34e3f34t24r4r4545454g for user id

I have seen the Liferay's lifecast about LDAP but unfortunatelly I am using openLDAP which is not prepared for Liferay but it can be used. I have changed the portal-ext.properties writting SSHA instead of md5 but no success, does it mean that Zimbra-openLDAP is giving me the password with SSHA (Liferay doesnt accept this type of encryption).

Can anyone help in this trouble? I have also modified the LDAPAuth.java as it sais one post about this but, no success emoticon

Thanks
28886, modified 19 Years ago.
RE: problems with encryption in openLDAP
New Member Posts: 21 Join Date: 1/19/07 Recent Posts
Sorry for the late responce,
as you can see in your error message:
pipe melero:

but watching the log I have seen this error message:
ERROR [LDAPAuth:52] LDAP password {SSHA} jlsjj4l5n44564khrwewr+ does not match with given password {md5} 34e3f34t24r4r4545454g for user id


the problem is that you are storing the password in {SSHA} and not {md5}.
Change the password in OpenLdap and store it in md5.
thumbnail
29231, modified 18 Years ago.
RE: problems with encryption in openLDAP
New Member Posts: 22 Join Date: 1/29/07 Recent Posts
Hi all,

we have solved the problem with our Zimbra-LDAP(openLDAP) connection with Liferay.

What we did was to modify the file LDAPAuth.java adding the support for SSHA algorithm as it says in this post: http://www.liferay.com/web/guest/community/forums/message_boards/message/104475

Regards,

Felipe
32096, modified 18 Years ago.
RE: problems with encryption in openLDAP
Junior Member Posts: 59 Join Date: 5/24/07 Recent Posts
Hi, i have one problem. I have installed liferay 4.2.2 and I have imported the users of my company's LDAP and when I try to log in with the email everything is OK, but when I try to log in with the userid(and this is what i need) i can't. There isn't any errors at the console and I don't know what the problem is, because the userid is the right one and the password too, because with the email it works.

Any idea?, thanks.
thumbnail
29231, modified 18 Years ago.
RE: problems with encryption in openLDAP
New Member Posts: 22 Join Date: 1/29/07 Recent Posts
Hi,

finally I did solve my problems importing AD users to Liferay watching the traces modifying LDAPAuth.java. You can enable debug for LDAP by modifying the file portal-log4j.xml located in ../portal-ejb/classes/META-INF/ . I had the same problem and the solution was to modify the mappings that Liferay does.

regards
thumbnail
29151, modified 19 Years ago.
RE: OPENLDAP
New Member Posts: 5 Join Date: 1/29/07 Recent Posts
Hello guys,

I have not yet tried out the built-in LDAP feature of Liferay, but we have successfully built this feature for our own using the Spring LDAP support. It works fine! Of course, we have to make a few changes to Liferay.

I think this should be considered when you would like to deploy Liferay with LDAP in production environment.

Regards,